Using a blockchain doesn’t exempt you from securities regulations

A $150 million Ethereum crowdfunding project broke the law, SEC says.

The DAO, a blockchain-based organization created last year, was supposed to demonstrate the potential of Bitcoin competitor Ethereum. Investors pumped $150 million of virtual currency into the project. But then in June 2016, hackers found a bug in the DAO's code that allowed them to steal $50 million from the organization, creating a crisis for the Ethereum community.

A Tuesday ruling from the Securities and Exchange Commission makes clear that security flaws were not the problem with the DAO. The agency says the DAO's creators broke the law by offering shares to the public without complying with applicable securities laws. Though luckily for the DAO's creators, the SEC isn't going to prosecute them.

The sale of DAO shares had all the hallmarks of a conventional stock offering. Prospective shareholders were told their money would be invested in software projects with profits flowing back to shareholders. The SEC reasoned that if something looks like a duck and quacks like a duck, the law should treat it like a duck.

"I perceive this as a positive event," Murck told Ars. Murck has a long history advocating for blockchain-friendly laws, having served as the general counsel and executive director of the Bitcoin Foundation from 2012 to 2015. The ruling provides substantially more clarity than existed before. And while the SEC concludes that the DAO violated securities law, it also makes clear that not every sale of blockchain-based assets is governed by those laws.

The DAO was supposed to be a new kind of company

The Bitcoin network was designed to create a fully decentralized global payment network. The Ethereum project had an even more ambitious goal: to create a general-purpose computing platform on top of blockchain technology. Ethereum programs, called smart contracts, have the ability to perform arbitrary computations as well as receive and spend the Ethereum currency, called ether.

Much like early Bitcoin supporters, Ethereum supporters saw revolutionary potential. Because smart contract code is executed in parallel by many computers and stored in a shared blockchain, it's very difficult to modify or stop. Supporters argued that one potentially revolutionary application of smart contract technology is a decentralized autonomous organization ("DAO")—a virtual corporation run by computer code instead of human beings. Smart contracts can make and receive payments, make business decisions, and even delegate tasks to other smart contracts. The most enthusiastic Ethereum supporters envisioned a future of billion-dollar DAOs that competed on a level playing field with conventional corporations.

The DAO was a project organized by a number of Ethereum luminaries to put the idea of a DAO into practice. It was a piece of software, running on the Ethereum blockchain, to crowdfund the development of Ethereum software. The DAO was designed to accept investments in Ethereum's native currency, ether, and then pay human contractors to work on software projects approved by DAO shareholders. In theory, some of those projects would prove to be profitable, and the profits would be paid back out to DAO shareholders. In May 2016, the DAO raised an incredible $150 million worth of ether.

But there was a huge problem: hackers found a bug in the DAO software that allowed them to steal from the DAO. And because the DAO was designed to be autonomous—that's the A in DAO—there was little the project's creators could do but watch $50 million worth of ether flow out to hackers.

Actually, that's not quite true. The DAO hack was such a big crisis for the fledgling Ethereum community that the Ethereum project's leaders decided to take radical action: they modified the Ethereum project itself to roll back the transactions sending DAO funds to the hackers. The DAO disbanded, and shareholders were given the opportunity to reclaim their funds.

The decision to rollback the stolen transactions solved the DAO's immediate problems, but it raised broader questions for the Ethereum community. The whole point of Ethereum was supposed to be creating a software platform whose operation was outside the control of any human institution. If the project's leaders could roll back transactions they didn't like, what was the point?

The decision to roll back the DAO hack was so controversial that it led to a split in the Ethereum community. Today, there are two versions of Ethereum. Users who objected to the rollback created a new version called Ethereum Classic, in which the promise of immutability was preserved and the hackers got to keep their stolen ether. Today, official ether and "classic" ether trade side by side on cryptocurrency exchanges, with the official currency being worth about 15 times as much as the "classic" version.

The SEC says the DAO's creators broke the law

"Investors who purchased DAO Tokens were investing in a common enterprise and reasonably expected to earn profits through that enterprise," the SEC concludes in its Tuesday ruling. The DAO's investors relied on the managerial efforts of the DAO's creators—as well as a group of people called curators who decided which projects would be brought up for a vote by ordinary DAO shareholders. In short, the DAO fit the conventional definition of an investment security.

That, in the SEC's view, means the DAO's creators should have complied with regulations that govern the offering of stock to the public, starting with registering the offering with the SEC. The DAO's creators failed to do this, potentially opening them up to prosecution. Despite that, the SEC said it had "determined not to pursue an enforcement action."

This means that anyone planning to follow in the DAO's footsteps—hopefully without bugs that allow hackers to steal millions—is going to need a securities lawyer if they offer shares for sale in the United States.

The big question is how far this ruling extends. In recent years, there have been dozens of "initial coin offerings," in which various projects offer cryptocurrency-based tokens to members of the general public:

The privacy-centric browser Brave sold $35 million worth of Ethereum-based "basic attention tokens" in 30 seconds. Brave hopes these tokens will become the currency for a new online advertising model, in which advertisers pay both publishers and users for interacting with their ads.

A distributed storage network called Filecoin is planning an initial coin offering on Thursday. Users will be able to use filecoins to pay third parties to store their files. Filecoin's ICO is offered only to investors wealthy enough to qualify for the SEC's accredited investor status.

Another offering was for Bancor, an Ethereum-based technology for creating blockchain-based tokens. It raised $150 million.

None of these coin offerings fit the definition of a security as squarely as the DAO's offering did. Murck, who counts Filecoin among his clients, told Ars that the key question is what rights a particular coin gives to its owners. If coin owners are promised voting rights in an organization or the right to a share of profits, that's likely to be a security. By contrast, if users mostly buy tokens for a utilitarian purpose—for example, to buy network storage—it's less likely to be a security.

Most of these coin offerings seem closer to this second category. But the legal line is far from clear. With dozens of ICOs happening in recent months—and dozens more expected in the next few months—it's inevitable that some will cross over the legal line.

"The SEC has yet to speak out about this distinction between investment contract and utility token," Murck told Ars. "Some of these other utility tokens that are out there, blur the lines. They could become a little more challenging. We need some more guidance from the SEC on that."

Still, Murck was heartened by the fact that the SEC seemed to be going out of its way to signal that unregulated coin offerings don't necessarily run afoul of securities law. "The tone is very helpful," he said. "I thought the whole thing was positive."

Timothy B. Lee
Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times. Emailtimothy.lee@arstechnica.com//Twitter@binarybits